Authentication
Every programmatic call uses an organization API key. Sign up at kallglot.com, open the Developer Portal, and create keys per environment (sk_live_* vs sk_test_*).
API Keys
Every API key belongs to a single organization.Key Types
Why calls fail (401, 402, 403)
Typical gate checks: unknown or revoked keys, wrong live/test environment, inactive subscription, or exhausted API credits. See Errors when wiring retries.
Making Authenticated Requests
Use theAuthorization header with a Bearer token:
Request Headers
WebSocket Authentication
WebSocket connections use the session stream token returned byPOST /v1/sessions, not your API key.
That JSON body is WebSocket-only (no PSTN leg). For Twilio, Telnyx, or SIP, add
routing on POST /v1/sessions as documented in Create Session—do not use a nested provider object.Token Expiration
Stream tokens expire after 5 minutes. Thestream.expires_at field tells you exactly when the token expires. Token expiry is checked only when the WebSocket connects, so an already-connected stream stays active after that point.
API Key Permissions
API keys can be scoped to the smallest permission set your application needs:
New keys are created with the full standard scope set listed above so integrations work out of the box; prefer the smallest viable set whenever you can customize scopes.
Response Headers
Authenticated HTTP responses may include these headers:
For billable write requests, the credit headers reflect the post-request balance when the request succeeds.
Authentication And Billing Errors
Security Best Practices
Rotate keys regularly
Rotate keys regularly
Create new API keys periodically and revoke old ones to reduce exposure if a key is leaked.
Use environment variables
Use environment variables
Store API keys in environment variables or a secret manager, never in source control.
Separate test and live keys
Separate test and live keys
Live keys should only be used against the live API environment. Test keys should only be used in test or sandbox environments.
Monitor usage and credits
Monitor usage and credits
Watch the Developer Portal for unusual API activity, rate-limit pressure, and low API-credit balances.
Revoke compromised keys immediately
Revoke compromised keys immediately
If a key may have been exposed, revoke it immediately and replace it with a new scoped key.
See Error Codes for the full error catalog and Rate Limits for throughput limits and retry guidance.